Who: ECJ, Information Commissioner’s Office, Article 29 Working Party, European Commission
Where: EU and US
When: From 6 October 2015
Law stated as at: 13 November 2015
In last month’s blog, we reported on the very significant decision of the CJEU in Case C-372/14 Maximillian Schrems v Data Protection Commissioner, which invalidated the EU-US Safe Harbor framework.
Since then, the EU’s Article 29 working party has issued its first formal statement, the Information Commissioner’s Office (the “ICO”, the regulator in the UK) has blogged on the judgment and the European Commission has provided its remarks and issued an explanatory communication.
In its communication, the European Commission re-iterated that alternative compliance tools can still be used to transfer personal data to countries outside the EU (including the U.S). However, it also confirmed that: (i) it would shortly be preparing a decision to remove provisions in existing adequacy decisions (including, presumably, the EU Model Clauses) limiting the powers of the local data protection authorities to examine, with complete independence whether data transfers to a third country comply with data protection laws; and (ii) it will engage in a regular assessment of existing and future adequacy decisions.
On the other side of the pond, rather sooner than expected, and arguably resolving (or potentially resolving) one of the concerns raised by the CJEU in relation to data transfers to the U.S., the U.S. Congress has passed the Judicial Redress Act. There are still a few hoops to jump through, but, if brought into force, the Judicial Redress Act would allow non-U.S. citizens to bring civil actions against U.S. agencies in certain circumstances (and, as always, the devil is in the detail).
It has clearly been a busy few weeks…
So, where are we now?
Without meaning to over-simplify (we go into more detail here), and bearing in mind that we are still expecting further guidance to be issued by local data protection authorities in each of the EU Member States, the key messages are as follows:
Transfers taking place purely on the basis of Safe Harbor are unlawful. While a new, negotiated “Safe Harbor 2.0” could be part of the solution in the future; in the meantime, companies should start considering alternative compliance tools and put matters in motion so that they at least can demonstrate having considered the issue if they are investigated.
As emphasised by the ICO, the first step should be to take stock and work out what personal data is being transferred outside the EU, where it is going, and what arrangements are currently in place to ensure that it is adequate protected. Once that is done, consider the alternative compliance tools, which (for now and if used properly) are a reliable means of legitimising data transfers. Unfortunately, most of those tools have their limitations, and while not perfect, EU Model Clauses are coming out as the favoured option. However, please note that they too come with their fair share of problems and it is not as easy as simply signing them. This is particularly the case in relation to transfers from one data processor to another, for which there are no European Commission-approved Model Clauses.
Is there a grace period?
The Article 29 working party has mentioned the end of January 2016 as the date by which EU Member States and institutions need to find an alternative long-term solution with the U.S. authorities (such as Safe Harbor 2.0). This suggests that enforcement action by a local data protection authority before 31 January 2016 is unlikely, although such action is not explicitly ruled out. It is also important to bear in mind that the approach by regulators in each EU Member State may vary.
Why this matters:
These are clearly very uncertain times for businesses transferring personal data outside the EU. In the short to mid-term, a series of steps will need to be taken to ensure compliance with data protection laws in the EU. In the longer term and when reflecting on the bigger picture, we can expect co-operation between EU Member States, EU institutions and U.S. authorities to come up with workable solutions for enabling EU-US data transfers. We shouldn’t also forget the potential impact of the new European General Data Protection Regulation, which is currently being discussed at European level and is expected to be agreed at the end of this year or beginning of next.